ts-2024-002
Vulnerability from tailscale

Description: We resolved an information disclosure vulnerability in the hello.ts.net service.

What happened?

On January 15 2024, we became aware of a potential information disclosure vulnerability in the hello.ts.net service, which could show the identity of a different Tailscale user when loaded. The hello.ts.net service receives identity information and public keys of nodes tied to their IP address. On November 28 2023, we made a change to how IPs are assigned to Tailscale nodes, making them globally non-unique. When the Tailscale service assigned the same IP to multiple nodes, hello.ts.net would receive identity information for one of the nodes at random. We confirmed on January 26 2024 that, if one of the other nodes with that IP loaded hello.ts.net, they would see another user's name, email, and hostname.

The Tailscale Security Team immediately took hello.ts.net offline while the fix was in progress. The issue has been fixed and the hello.ts.net service was restored on January 29 2024.

Who was affected?

The incident was isolated to 10 users across 9 tailnets who could have had their information leaked to other Tailscale users. We notified the tailnet security contacts directly in accordance with our obligations under applicable data privacy laws. Due to the random nature of the vulnerability, we cannot confirm that all of those users were indeed affected.

Regular shared nodes always see unique node IPs and were not vulnerable in a manner similar to hello.ts.net.

What was the impact?

A small number of users had their name, email, and hostname potentially exposed to other Tailscale users that had nodes sharing the same IP.

In addition, the hello.ts.net service was offline between January 26-29 2024. Several users reported being negatively impacted by this.

What do I need to do?

No action is needed at this time.

If you have a dependency on hello.ts.net as a probing target for Tailscale connectivity, consider using a different probing mechanism.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2024-002",
  "link": "https://tailscale.com/security-bulletins/#ts-2024-002",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2024-002",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Tue, 30 Jan 2024 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: We resolved an information disclosure vulnerability in the\n\u003ca href=\"https://tailscale.com/kb/1073/hello\"\u003ehello.ts.net\u003c/a\u003e service.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eOn January 15 2024, we became aware of a potential information disclosure\nvulnerability in the \u003ccode\u003ehello.ts.net\u003c/code\u003e service, which could show the identity of a\ndifferent Tailscale user when loaded. The \u003ccode\u003ehello.ts.net\u003c/code\u003e service receives\nidentity information and public keys of nodes tied to their IP address. On\nNovember 28 2023, we made a \u003ca href=\"https://tailscale.com/blog/choose-your-ip\"\u003echange\u003c/a\u003e to how IPs are assigned to\nTailscale nodes, making them globally non-unique. When the Tailscale service\nassigned the same IP to multiple nodes, \u003ccode\u003ehello.ts.net\u003c/code\u003e would receive identity\ninformation for one of the nodes at random. We confirmed on January 26 2024\nthat, if one of the other nodes with that IP loaded \u003ccode\u003ehello.ts.net\u003c/code\u003e, they would\nsee another user\u0027s name, email, and hostname.\u003c/p\u003e\n\u003cp\u003eThe Tailscale Security Team immediately took \u003ccode\u003ehello.ts.net\u003c/code\u003e offline while the\nfix was in progress. The issue has been fixed and the \u003ccode\u003ehello.ts.net\u003c/code\u003e service\nwas restored on January 29 2024.\u003c/p\u003e\n\u003ch5\u003eWho was affected?\u003c/h5\u003e\n\u003cp\u003eThe incident was isolated to 10 users across 9 tailnets who could have had\ntheir information leaked to other Tailscale users. We notified the tailnet\nsecurity contacts directly in accordance with our obligations under applicable\ndata privacy laws. Due to the random nature of the vulnerability, we cannot\nconfirm that all of those users were indeed affected.\u003c/p\u003e\n\u003cp\u003eRegular \u003ca href=\"https://tailscale.com/kb/1084/sharing\"\u003eshared nodes\u003c/a\u003e always see unique node IPs and were not\nvulnerable in a manner similar to \u003ccode\u003ehello.ts.net\u003c/code\u003e.\u003c/p\u003e\n\u003ch5\u003eWhat was the impact?\u003c/h5\u003e\n\u003cp\u003eA small number of users had their name, email, and hostname potentially exposed\nto other Tailscale users that had nodes sharing the same IP.\u003c/p\u003e\n\u003cp\u003eIn addition, the \u003ccode\u003ehello.ts.net\u003c/code\u003e service was offline between January 26-29\n2024. Several users reported being negatively impacted by this.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003eNo action is needed at this time.\u003c/p\u003e\n\u003cp\u003eIf you have a dependency on \u003ccode\u003ehello.ts.net\u003c/code\u003e as a probing target for Tailscale\nconnectivity, consider using \u003ca href=\"https://tailscale.com/kb/1073/hello#does-hellotsnet-have-a-reliability-guarantee\"\u003ea different probing\nmechanism\u003c/a\u003e.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: We resolved an information disclosure vulnerability in the\n\u003ca href=\"https://tailscale.com/kb/1073/hello\"\u003ehello.ts.net\u003c/a\u003e service.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eOn January 15 2024, we became aware of a potential information disclosure\nvulnerability in the \u003ccode\u003ehello.ts.net\u003c/code\u003e service, which could show the identity of a\ndifferent Tailscale user when loaded. The \u003ccode\u003ehello.ts.net\u003c/code\u003e service receives\nidentity information and public keys of nodes tied to their IP address. On\nNovember 28 2023, we made a \u003ca href=\"https://tailscale.com/blog/choose-your-ip\"\u003echange\u003c/a\u003e to how IPs are assigned to\nTailscale nodes, making them globally non-unique. When the Tailscale service\nassigned the same IP to multiple nodes, \u003ccode\u003ehello.ts.net\u003c/code\u003e would receive identity\ninformation for one of the nodes at random. We confirmed on January 26 2024\nthat, if one of the other nodes with that IP loaded \u003ccode\u003ehello.ts.net\u003c/code\u003e, they would\nsee another user\u0027s name, email, and hostname.\u003c/p\u003e\n\u003cp\u003eThe Tailscale Security Team immediately took \u003ccode\u003ehello.ts.net\u003c/code\u003e offline while the\nfix was in progress. The issue has been fixed and the \u003ccode\u003ehello.ts.net\u003c/code\u003e service\nwas restored on January 29 2024.\u003c/p\u003e\n\u003ch5\u003eWho was affected?\u003c/h5\u003e\n\u003cp\u003eThe incident was isolated to 10 users across 9 tailnets who could have had\ntheir information leaked to other Tailscale users. We notified the tailnet\nsecurity contacts directly in accordance with our obligations under applicable\ndata privacy laws. Due to the random nature of the vulnerability, we cannot\nconfirm that all of those users were indeed affected.\u003c/p\u003e\n\u003cp\u003eRegular \u003ca href=\"https://tailscale.com/kb/1084/sharing\"\u003eshared nodes\u003c/a\u003e always see unique node IPs and were not\nvulnerable in a manner similar to \u003ccode\u003ehello.ts.net\u003c/code\u003e.\u003c/p\u003e\n\u003ch5\u003eWhat was the impact?\u003c/h5\u003e\n\u003cp\u003eA small number of users had their name, email, and hostname potentially exposed\nto other Tailscale users that had nodes sharing the same IP.\u003c/p\u003e\n\u003cp\u003eIn addition, the \u003ccode\u003ehello.ts.net\u003c/code\u003e service was offline between January 26-29\n2024. Several users reported being negatively impacted by this.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003eNo action is needed at this time.\u003c/p\u003e\n\u003cp\u003eIf you have a dependency on \u003ccode\u003ehello.ts.net\u003c/code\u003e as a probing target for Tailscale\nconnectivity, consider using \u003ca href=\"https://tailscale.com/kb/1073/hello#does-hellotsnet-have-a-reliability-guarantee\"\u003ea different probing\nmechanism\u003c/a\u003e.\u003c/p\u003e"
  },
  "title": "TS-2024-002",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2024-002"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.